CA IoT Law Forces Individual Device Passwords

Monday, October 8, 2018 @ 04:10 PM gHale

In an attempt to make it harder for bots to take over connected devices that proliferate in the Internet of Things (IoT) environment in California, state legislators have pushed through and California Governor Jerry Brown signed a new law that bans shared default passwords.

The bill will go into effect January 1, 2020, and applies to device manufacturers, whether they do it themselves or contract with another person to manufacture the device on their behalf.

The law requires manufacturers of Internet-connected devices sold in California to “equip the device with a reasonable security feature or features” that are:
• Appropriate to its nature and function
• Appropriate to the information it may collect, contain, or transmit
• Designed to protect the device and any information it contains from unauthorized access, destruction, use, modification, or disclosure

“…If a connected device is equipped with a means for authentication outside a local area network, it shall be deemed a reasonable security feature (…) if either of the following requirements are met: The preprogrammed password is unique to each device manufactured, or the device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time,” the bill said.

The bill also states private citizens can’t mount a civil lawsuit if a manufacturer does not follow the law. “The Attorney General, a city attorney, a county counsel, or a district attorney shall have the exclusive authority to enforce this title,” it said.